INSECURE LOGGING
- Layout for this exercise:
- Connecting from Santoku to Nexus 5 with ADB:
- Launching the application:
- The first challenge is about how insecure logging may leak sensitive information introduced by users unaware of the vulnerability:
- The application prompts the user to introduces a credit card number:
- From Santoku, the PID of the process is discovered:
- Android holds a centralized logging system that is accessible to all applications on the device. The ADB shell logcat command grepped to the DIVA's PID number outputs in real time debugging information about the application:
- To test the vulnerability, the user introduces his 16 digits credit card number. The answer by the app is an error message:
- However, the logcat command from Santoku shows in plain text the credit number introduced by the user of the application: